https://community.splunk.com/t5/Splunk-Enterprise/Search-Head-Cluster-Failed-HMAC-signature-match-errors/m-p/629310#M15288 <P>Hi, I am running a Search Head Cluster with 7 search heads on Splunk 8.2.9.</P><P>2 of the search heads are generating the following error messages at ~5 second intervals for a period of time before stopping:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">ERROR DigestProcessor [38271 TcpChannelThread] - Failed signature match ERROR HTTPAuthManager [38271 TcpChannelThread] - Failed to verify HMAC signature, uri: /services/shcluster/member/consensus/pseudoid/raft_request_vote?output_mode=json</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>The search head cluster is otherwise running as expected as far as I can tell.</P><P>The search heads that are producing these errors are the only 2 that have been elected as captain in the last 30 days from examining the logs. There are no preferred captain or similar configurations set.</P><P>I have checked the [shclustering] pass4SymmKey values on each search head. They are all configured to the same value although use different Splunk Secrets to encrypt.</P><P>I am not sure when the errors first started appearing so can't link this to a specific upgrade on configuration change unfortunately.</P><P>The thread_id values seem to stay around for between 10-30 minutes. Sometimes 2 thread_ids will be active at once, sometimes none are active for a period. When looking at other logs for a particular thread_id around the same time period (at info logging level) I can't find see anything that adds any more cluses to what is causing the errors.</P><P>&nbsp;</P> Thu, 02 Feb 2023 10:32:05 GMT a_kearney 2023-02-02T10:32:05Z https://community.splunk.com/t5/Splunk-Enterprise/Search-Head-Cluster-Failed-HMAC-signature-match-errors/m-p/629310#M15288 <P>Hi, I am running a Search Head Cluster with 7 search heads on Splunk 8.2.9.</P><P>2 of the search heads are generating the following error messages at ~5 second intervals for a period of time before stopping:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">ERROR DigestProcessor [38271 TcpChannelThread] - Failed signature match ERROR HTTPAuthManager [38271 TcpChannelThread] - Failed to verify HMAC signature, uri: /services/shcluster/member/consensus/pseudoid/raft_request_vote?output_mode=json</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>The search head cluster is otherwise running as expected as far as I can tell.</P><P>The search heads that are producing these errors are the only 2 that have been elected as captain in the last 30 days from examining the logs. There are no preferred captain or similar configurations set.</P><P>I have checked the [shclustering] pass4SymmKey values on each search head. They are all configured to the same value although use different Splunk Secrets to encrypt.</P><P>I am not sure when the errors first started appearing so can't link this to a specific upgrade on configuration change unfortunately.</P><P>The thread_id values seem to stay around for between 10-30 minutes. Sometimes 2 thread_ids will be active at once, sometimes none are active for a period. When looking at other logs for a particular thread_id around the same time period (at info logging level) I can't find see anything that adds any more cluses to what is causing the errors.</P><P>&nbsp;</P> Thu, 02 Feb 2023 10:32:05 GMT https://community.splunk.com/t5/Splunk-Enterprise/Search-Head-Cluster-Failed-HMAC-signature-match-errors/m-p/629310#M15288 a_kearney 2023-02-02T10:32:05Z